In a joint statement issued on Wednesday, both the government and insurers revealed that they will work together to highlight the cyber-risks to businesses and also to develop the local cyber-insurance market. As part of that drive, the government says that new working groups will be established, with these due to report back on the ‘key issues' from the market to the Cabinet Office next April.
This announcement came shortly after a dozen of the UK's leading insurers met with Cabinet Office minister Francis Maude - as well as officials from the UK Trade & Investment, Department for Business, Innovation & Skills and GCHQ - as a way of looking to expand their collaboration.
Maude yesterday co-hosted a summit of CEOs from the insurance sector in conjunction with insurance broker and risk adviser March, and the event was designed to discuss how the sector can ensure that the UK is one of the safest places to do business in cyber-space.
In a statement released shortly after the conference, Maude detailed how cyber-insurance can provide added protection to UK businesses – but only when used alongside ‘good cyber-security'.
“Protecting the cyber-security of UK businesses is an important part of this government's long-term economic plan – we want the UK to be one of the most secure places in the world to do business,” said Maude.
“We want to support the growth of a cyber-insurance market in the UK so we are very pleased to come together with the UK's world-renowned insurance sector. Cyber-insurance does not replace the need for good cyber-security practice but is an added protection for businesses in the event of breaches.”
Meanwhile, Marsh UK & Ireland CEO Mark Weil added that cybe-insurance has its place in an age where a data breach often equals brand damage and spiralling costs.
“As recent network attacks and data breaches have demonstrated, cyber-security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence,” he said.
“A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations. Cyber-attacks can even cause physical damage by manipulating control processes. Companies should be assessing their vulnerability to cyber-attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business.
EY's executive director for cyber-security and resilience, Mark Brown, said that the news demonstrates the government's commitment to cyber-security. The government launched the £860 million National Cyber Security Strategy in 2011 and has since launched associated initiatives such as the '10 steps to cyber-security' guide and Cyber Essentials.
“This announcement further demonstrates the level of importance being placed by the UK Government on cyber-security,” he told SCMagazineUK.com. “Many firms are now focusing on how they protect against the consequential financial impacts of a cyber-incident and are turning to insurance as a mechanism to alleviate risk.
“However, whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their cyber-security defences. Consideration should be given to rewarding those businesses who can demonstrate effective cyber-security through certification schemes such as Cyber Essentials.”
Brown added that high-performing companies in the area of cyber-security should be incentivised via cost reductions.
“Those organisations that show high levels of effective cyber-security should be rewarded through options such as insurance premium reduction. This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”
Darren Anstee, director of solutions architects at Arbor Networks, added in an email to journalists: “With cyber-attacks becoming ever more frequent and sophisticated, enhancing businesses' ability
"Regulatory changes, media coverage, contractual requirements for cover and actual experience of breaches are all playing their part in the growing demand for insurance.
"However, businesses should not rely on insurance as a way mitigating their risk of attack. Organisations can no longer afford to make mistakes when it comes to security, and need to implement multi-layered defences and the appropriate operational processes to protect the business from the attacks that are out there today.”